Page 1 SANGFOR Technologies Co., Ltd. International Service Centre: +60 12711 7129 (7511) Malaysia: 1700817071 Email: tech.support@sangfor.com.hk RMA: rma@sangfor.com.hk SSLM6.8EN User Manual FEB2015...
Page 2: Table Of Contents
Symbol Conventions ............................13 CLI Conventions ..............................13 Technical Support ............................... 14 Acknowledgements ............................. 14 Chapter 1 KnowingYour Sangfor Device ........................15 OperatingEnvironment............................15 Product Appearance ............................15 ConnectingSangfor Device ..........................16 Chapter 2 InitialLogin to Admin Console ........................19 Logging in to Admin Console ..........................
Page 3 Configuring License of Device and Function Modules ................33 Modifying System Date and Time ......................35 Configuring Console Options ........................35 Generating Certificate for Sangfor Device ....................37 ConfiguringSMTP Server ........................... 39 Network Settings ..............................40 Device Deployment ............................ 40 Scenario 1: Deploying Device in Gateway Mode ................
Page 4 ConfiguringLogin Policy ........................102 Configuring LoginPage ........................105 Scenario 5: Assigning Login Page to Specific User or Group ..........109 Uploading Icon to Device ......................... 111 Clustering ..............................112 Terminology............................112 Main Features of Cluster ........................112 Deploying Clustered Sangfor Devices ....................115...
Page 5 SANGFOR SSL M6.8EN User Manual Deploying Clustered Device in Single-Arm Mode ..............115 Deploying Clustered Device in Gateway Mode ................ 116 Deploying Clustered Device with Multiple Lines..............117 Viewing ClusteredNode Status ......................120 Viewing Cluster Online Users ......................120 Scenario 7:Configuring ClusteredSangfor Device ................122 Configuring Clustered Device in Gateway Mode ..............
Page 6 SANGFOR SSL M6.8EN User Manual Associating Roles with User ........................153 Configuring SSO User Account........................ 154 Generating Multiple Certificates for Users ....................155 Creating Multiple USB Keys for Users ....................157 Viewing Associated Resources of User ....................159 Scenario 8: AddingUser Loggingin withLocal Password ..............160 Scenario 9: Adding User Logginginwith Certificate ................
Page 7 SANGFOR SSL M6.8EN User Manual Roles ................................. 201 Adding Role .............................. 201 Getting Privilege Report ........................... 203 Authentication Options ............................. 206 Primary Authentication Methods ......................207 Local Password Based Authentication ....................207 LDAP Authentication ........................208 Configuring LDAP Server ......................208 RADIUS Authentication ........................
Page 8 SANGFOR SSL M6.8EN User Manual Priority of LDAP and RADIUS Servers ................... 243 Password Security Options ....................... 244 Anonymous Login ..........................245 Policy Sets ................................ 247 Adding Policy Set ............................. 248 Scenario19: Configuring Secure Desktop ..................252 Remote Servers ..............................258 Adding Remote Application Server ......................
Page 9 SANGFOR SSL M6.8EN User Manual Rule on Access among Sangfor Device's Interfaces……………………………………………….289 Scenario 20: Configuring LAN <-> DMZ Filter Rules……………………………………….290 Scenario 21: Configuring LAN <-> VPN Filter Rules ............. 293 Configuring NAT Rule…………………………………………………………………………………..296 Configuring SNAT Rule…………………………………………………………………………..296 Scenario 22: Adding SNAT Rule……………………………………………………………...296 Configuring DNAT Rule........................298...
Page 10 Configuring Browser and Accessing SSL VPN ....................322 Configuring Browser ..........................322 Using Account to Log In to SSL VPN ...................... 326 Using USB Key to Log In to SSL VPN ....................328 Appendix B: Sangfor Firmware Updater 6.0 ......................330 Updating YourSangfor Device ......................... 330...
Page 11: Declaration
This manual shall only be used as usage guide, and no statement, information, or suggestion in it shall be considered as implied or express warranty of any kind, unless otherwise stated. This manual is subject to change without notice. To obtain the latest version of this manual, please contact the Customer Service of Sangfor.
Page 12: Preface
Chapter 6System Maintenance hardware device. How endusers configure browser and log in to Appendix A: End Users Accessing SSL VPN SSL VPN. How administrator uses Sangfor Firmware Appendix B: Sangfor Firmware Updater 6.0 Updater 6.0 to update the current Sangfor device.
Page 13: Document Conventions
SANGFOR SSL M6.8EN User Manual Document Conventions Graphic Interface Conventions This manual uses the following typographical conventions for special terms and instructions: Convention Meaning Example Page/tab name example: Navigate to System>Administrator to enter the Administrator Management page. Parameter example: IP Address: Specifies the IP address that you want...
Page 14: Symbol Conventions
SANGFOR SSL M6.8EN User Manual submenu the network interfaces. “ ” The browser may pop up the prompt “Install ActiveX Prompt control”. Symbol Conventions This manual also adopts the following symbols to indicate the parts, which need special attention to be paid during...
Page 15: Technical Support
SANGFOR SSL M6.8EN User Manual Technical Support For technical support, please contact us through the following: Website:http://data.sangfor.net/feedback.html  MSN, Email:tech.support@sangfor.com.hk  Tel:+60 12711 7129 (7511)  Acknowledgements Thanks for using our product and user manual. If you have any suggestion about our product or user manual, please...
Page 16: Chapter 1 Knowingyour Sangfor Device
Product Appearance Above is the front panel of a SSL VPN hardware device (M5100). The interfaces from left to right are described in the table followed:...
Page 17: Connectingsangfor Device
ALARM Alarm LED The picture above (M5100) is just for reference. The actual product you purchased and received may vary. Connecting Sangfor Device Deploy the Sangfor device in your network. Sangfor device can be deployed in either Single-arm mode or Gateway mode.
Page 18 Internet line to WAN2 interface (ETH3) and the third Internet line to WAN3 interface (ETH4), and so on. If you want the Sangfor device to provide secure protection for DMZ (Demilitarized Zone), use RJ-45 Ethernet cable to connect ETH1 interface to the devices such as Web server, SNMP Server that provides services to external networks.
Page 19 SANGFOR SSL M6.8EN User Manual...
Page 20: Chapter 2 Initiallogin To Admin Console
Deploy a computer in the subnet where the Sangfor device resides.  Connect the PC’s network interface card (NIC) and the Sangfor device’s ETH0 interface to a same layer-2 switch, or connect the PC’s NIC to Sangfor device’s ETH0 interface directly with a network cable.
Page 21 SANGFOR SSL M6.8EN User Manual Open the IE browser and enter the SSL VPN address and HTTPS port (https://10.254.254.254:4430) into the address bar. Press Enter key to visit the login page to SSL VPN administrator Web console, as shown below: Enter the administrator username and password and click the Log In button.
Page 22: Modifying Administrator Password
SANGFOR SSL M6.8EN User Manual Modifying Administrator Password We strongly recommend you to change the administrator password after initial login, to prevent others from logging in to the administrator Web console and using default Admin credentials to make unauthorized changes on the administrator account and initial configurations.
Page 23 Modify the password and click the Save button on the above page.  Password of the account Admin should not be shared with anyone.  If the Sangfor device is to be maintained by several administrators, create multiple administrator accounts for segregation of duty.
Page 24: Chapter 3 System And Network Settings
There are four configuration modules in all:  Status: Shows the running status of the Sangfor device related modules. ...
Page 25: Viewing Status
SANGFOR SSL M6.8EN User Manual Viewing Status Viewing SSL VPN Status There are six panels showing status of SSL VPN, including System Status, External Interface Status, Throughput, Trends of Concurrent Users, Concurrent Sessions and Byte Cache. Each panel is selective and display criteria are configurable. To show or hide certain panel, click Select Panel and...
Page 26 SANGFOR SSL M6.8EN User Manual  System Status: This panel shows the CPU utilization of the SSL VPN system, number of online users and locked users as well as status of SSL VPN service. View is a link to the Online User page or Hardware ID page.
Page 27 SANGFOR SSL M6.8EN User Manual Click the Settings icon (at the upper right of the panel) to specify time period (real time, last 24 hours or last 7 days).  Byte Cache: This panel shows the byte cache status and optimization effect brought by byte caching, as...
Page 28: Viewing Online Users
SANGFOR SSL M6.8EN User Manual Viewing Online Users Navigate to Status>SSL VPN>Online User to view information of the online users, such as number of users connecting to the SSL VPN, the time when these online users connected, the mount of received/sent bytes, as well as the outbound and inbound speed.
Page 29: Viewingalarm Logs
Click the OK button and the online end user(s) will see the system broadcasting prompt, as shown below: Viewing Alarm Logs Navigate to Status>SSL VPN>Alarm Logs to view the alarm-related logs on the Sangfor device, as shown below: The following are the contents included on Alarm Logs page: ...
Page 30 SANGFOR SSL M6.8EN User Manual If Deselect is selected, all the selected logs will be deselected, as shown in the figure below:  Alarm-Triggering Event: Click it to enter the Alarm-Triggering Event page to specify the event(s) that can trigger email alarm.
Page 31: Viewing Remote Application
SANGFOR SSL M6.8EN User Manual 4 minutes, the system will send an email to the specified email address to notify the administrator of that, and do so when the system memory returns to normal.  Clustered node status changes: Once any node of the cluster changes status, the system will send an email to the specified email address to notify the administrator of that.
Page 32 SANGFOR SSL M6.8EN User Manual The above page shows information of the remote servers, including name, address, sessions and status of the remote application server, maximum number of concurrent sessions. The following are the contents included on Remote Application page: ...
Page 33 SANGFOR SSL M6.8EN User Manual To view the users accessing an application, click an application name or View User, information of the users involved are as shown in the figure below:...
Page 34: System Settings
Navigate to System>System>Licensing to activate the license or modify the license key related to this device and each function module. Under License of Device are the license of this Sangfor device and other authorization you have bought from SANGFOR. Under License of Each Module are licenses that are optional for Sangfor device. Once license of function modules activated and that feature is enabled, the corresponding module will work.
Page 35  Cluster: This license allows you to enable cluster to couple some scattered Sangfor devices. It is known that cluster can achieve unified management and greatly improve the performance, availability, reliability of the “network” of Sangfor devices.
Page 36: Modifying System Date And Time
Date: Specifies the date. To select date, click the icon  Time: Specifies the time. Enter the time into this field and set it as the current time of this Sangfor device. Date format should be hh: mm: ss. ...
Page 37 SANGFOR SSL M6.8EN User Manual Configure the following:  Device Name: Specifies the name of the Sangfor device, which helps to distinguish it from other clustered nodes if this device joins cluster. Elaborate  HTTP Port: Specifies the HTTP port used for logging into this Sangfor device. The defaults 1000.
Page 38: Generating Certificate For Sangfor Device
Generating Certificate for Sangfor Device Device certificate is intended for establishing sessions between the Sangfor device and client. To view current certificate of or to generate certificate for the Sangfor device, navigate to System>System>Device Certificate, as shown in the figure below:...
Page 39 Once the certificate signing request is generated, click the Download Link to download the request.The contents of the downloaded request file are as shown below:  Update: Click it to import the new external-CA-issued device certificate into the Sangfor device to replace the old one.
Page 40: Configuringsmtp Server
SANGFOR SSL M6.8EN User Manual ConfiguringSMTP Server Navigate to System>System>Sot to enter SMTP page, as shown below: Configure the following:  SMTP Server IP: Specifies the IP address of the SMTP server.  Port: Specifies the port number used by this SMTP server to provide email delivery related services.
Page 41: Network Settings
SANGFOR SSL M6.8EN User Manual Network Settings Device Deployment Sangfor device can work in two modes, Single-Arm mode and Gateway mode. Deployment mode is configured in System>Network>Deployment. If Single-arm mode is selected, the Deployment page is as shown in the figure below: The following are the contents included on the Deployment page when Single-arm is selected: ...
Page 42  Netmask: Configures the netmask of the DMZ interface IP.  Link Status: Indicates the connection status of internal and external interfaces of the Sangfor device, whether the network cables are plugged in.  External Interfaces: External interfaces are WAN interfaces of the Sangfor device. To set a WAN interface,...
Page 43 SANGFOR SSL M6.8EN User Manual The following are the contents included on the Edit Line page, when line type is Ethernet:  Enable this line: Select this option and this line will be enabled.  Line Type: Options are Ethernet or PPPoE.
Page 44: Scenario 1: Deploying Device In Gateway Mode
Username, Password: Configure the ADSL account to get dial up access.  Automatically connect: Select the checkbox next to this option if Sangfor device automatically dials up when Internet connection is dropped. The changes apply after settings are saved (click the Save button) and services restart. Once the changes have applied, go to this page again to and click the Connect button to dial up immediately.
Page 45 Configure the second Internet, its IP address, net mask, default gateway, DNS server, etc. (for detailed guide, refer to the Device Deployment sectioning Chapter 3). Configure multi-line options (for detailed guide, refer to the Setting Multiline Options sectioning Chapter 3). Click the Save button to save the settings and restart the Sangfor device.
Page 46: Scenario 2: Deploying Device In Single-Arm Mode
 One network segment of a local area network is 192.200.200.0/24  A Sangfor device is to be deployed in the local area network, in Single-arm mode  The front-end firewall is connected to external networks through an Internet line...
Page 47: Setting Multiline Options
Setting Multiline Options If the Sangfor device needs more than one lines to connect to its WAN interfaces (including the case that Sangfor device is deployed in Single-arm mode), multiline policies should be enabled and configured, more exactly, all the internet lines should be configured.
Page 48 Allow Sangfor VPN to Use Multiple Lines: Select this option under Multiline Policy of Sangfor VPN, the configured Internet lines will be availbe for users’ access to Sangfor VPN. To add a line, click Add. The following figure shows the Add Line for Sangfor VPN page while the deployment mode is Gateway:...
Page 49 SANGFOR SSL M6.8EN User Manual Name the line, enter the IP address and gateway and specify whether or not this line uses a static IP address. If the line is to use a static Internet IP address, configure IP Address field.
Page 50 SSL VPN cannot use multiple lines.  If the Sangfor device is deployed in Single-arm mode and needs to use multiple Internet lines, map the front-end network device’s public addresses to the Sangfor device and launch the ports, simply by configuring port mapping rules under Lines Of Front-End Device.
Page 51: Configuring Route
Click the Savebutton and that Apply button to save and apply the settings. Configuring Route Route can route data of the Sangfor device itself, and route the data (either VPN data or VPN irrelevant data) to the Sangfor device, which then will forward the data to destination.
Page 52: Configuring Host Mapping Rule (Hosts)
Sangfor device. This file works when SSL VPN users need to access Web resources using domain name or host name, generally in the situation that the internal network (where the Sangfor device resides) is using MS Active Directory.
Page 53 SANGFOR SSL M6.8EN User Manual If Host entry is selected, the page pops up as follows. Specify the fields on this page. The following are the contents included on the Add Host Entry page:  IP Address: Indicates the IP address of the server providing resources.
Page 54: Configuring Ip Assignment Options (Dhcp)
SANGFOR SSL M6.8EN User Manual Configuring IP Assignment Options (DHCP) Navigate to System>Network>DHCP>Options to view Status of DHCP service and configure the Options. Status tab shows the running status of the DHCP service, the IP addresses that are assigned through each network interface, the related hostname, MAC address, and lease time left;...
Page 55 SANGFOR SSL M6.8EN User Manual Click the OK button to save the settings.  In case that some LAN computers are using static private IP addresses, the IP address range configured above should not cover any of those static IP addresses, otherwise, IP address conflict will occur after those IP addresses are assigned to VPN users automatically.
Page 56: Configuring Local Subnet
IP address is reserved. Configuring Local Subnet Local subnets are subnets thought in the LAN where this Sangfor device resides. Configuring local subnet is intended for the case that the VPN users want to communicate with the other subnets of the headquarters (HQ) network.
Page 57 The local subnets are deemed as network segments of VPN by the Sangfor device and the client software, which means all the data sent from (or to) these network segments through the Sangfor device or software will be encapsulated into and transmitted through the VPN tunnels. For this reason, if you want to allow the VPN users to access certain subnet, add the related subnet into the list on the Local Subnets page and then go tithe Routes page to configure a corresponding route.
Page 58: Schedules
SANGFOR SSL M6.8EN User Manual Schedules A schedule is a combination of time segments, which can be referenced by SSL VPN account settings, firewall filter rules, user privilege settings and endpoint security rules. The date and time are based on the system time of the Sangfor device.
Page 59 SANGFOR SSL M6.8EN User Manual Click the Select button to select the time segment, as shown below: Go on to select the other time segment (14: 00-18: 00, from Monday to Friday) in the same way, as shown below: Click the Select button to select the time segment, as shown below:...
Page 60 SANGFOR SSL M6.8EN User Manual Click Save to save the settings on this page. The newly-created schedule will show in the schedule list, as shown below: To deselect and remove a time segment from the schedule, perform the steps below: Click on and drag over the green grids (selected time segments) to select the time segment that you want to deselect.
Page 61 SANGFOR SSL M6.8EN User Manual  To select this part, click the Select button, and the grids in light blue (including the overlapped part) will turn to green, being selected, as shown below:  Or click Deselect, the grids in light blue(including the overlapped part) will turn to white, being removed,...
Page 62: Administrator
SANGFOR SSL M6.8EN User Manual Administrator Through administrator management feature, super administrator of the Sangfor device can create administrators for others to maintain the SSL VPN server. An administrator can be put into certain group and so be granted with restricted administrative privileges. The...
Page 63 SANGFOR SSL M6.8EN User Manual The following are the information of administrator group:  Name: Specifies the username of the administrator group.  Description: Descriptive information of the administrator group.  Added To: Specifies the administrator group to which this administrator group will be added. This group determines the administrative privileges and realms of this administrator group.
Page 64: Adding Administrator
SANGFOR SSL M6.8EN User Manual Click the Save button to save the settings. Adding Administrator Click Add>Admin to enter Add/Edit Administrator page, as shown below: Configure Basic Attributes and Login IP Address of the administrator, as shown below: The following are the information of administrator: ...
Page 65 SANGFOR SSL M6.8EN User Manual Click the Save button to save the settings. The administrative privilege of an administrator group will never be higher than its parent administrator group. That is to say, administrators’ privilege of maintaining SSL VPN users, resources and roles is authorized by...
Page 66: Ssl Vpn Options
SANGFOR SSL M6.8EN User Manual SSL VPN Options General Settings The basic (SSL VPN related) settings under System>SSL VPN Options > General are global settings, including user login options, client options, virtual IP address pool, Single Sign-On (SSO) and resource options.
Page 67 Configure Web Agent Settings. Select Enable Web Agent for dynamic IP support to enable this feature, and the Sangfor device will be able to get an IP using Web Agent dynamic addressing if it is not using a static Internet IP address. To add a Web agent entry: Click Add to enter the Add Web Agent page, as shown below: Enter the Web Agent address into the Address field and click the OK button.
Page 68: Configuring Client Related Options
SANGFOR SSL M6.8EN User Manual figure below: Before test begins, certain ActiveX control may need be installed (as shown below). Click the Check ActiveX Status button to check whether ActiveX control has been installed. If not, click the Install button and follow the instructions to install the ActiveX control.
Page 69 SANGFOR SSL M6.8EN User Manual The following are the contents under SSL VPN Client Options:  Enable system tray: System tray is a taskbar status area showing status of and configure SSL VPN on the client end. Select this option and the browser window can minimize to a system tray when Resource page is closed.
Page 70 SANGFOR SSL M6.8EN User Manual Right-click on the System Tray icon and the Floating Window appears, as shown below:  Password can be remembered: Select the checkbox next to this option and the SSL VPN Client will remember the SSL VPN login account (username and password) user entered if user selects the option...
Page 71 SANGFOR SSL M6.8EN User Manual  Allow begin online: once disconnected, it will attempt to reconnect again and again; suitable for endpoint watched by no one  Auto install TCP and L3VPN components: Select the checkbox next to this option and the components related to TCP application and L3VPN will be enabled and installed when users log in to the SSL VPN.
Page 72 SANGFOR SSL M6.8EN User Manual  Client on Windows PC: Specifies a shortcut icon of System Tray that appears on the taskbar, and able to upload icon the figure as shown below:  Client on Mobile Device: remote access such as hand phone, Ipad etc..the figure shown below:...
Page 73 SANGFOR SSL M6.8EN User Manual  The functionalities provided by floating window and system tray are the same.  If Enable system tray is not selected but connecting user can access any TCP and/or L3VPN resource, the connecting user can still use the floating window after login to SSL VPN.
Page 74 SANGFOR SSL M6.8EN User Manual  Optimization Effect: Click it to view the optimization effect.  History Message: Click it to view the message(s) received.  Resource Path: Click it to view the mapping between resource and application path.
Page 75 SANGFOR SSL M6.8EN User Manual  Proxy Options: Click it to configure whether to use IE proxy settings, as shown below:  Remote Application Options: Click it to view the options related to remote application. This menu is only available when there is Remote Application resource accessible to the connecting user.
Page 76 SANGFOR SSL M6.8EN User Manual and a public directory is accessible to the connecting user.  Show Resource: Click it to enter the Resource page to view and access the available internal resources.  Exit: Click it to exit from the SSL VPN.
Page 77 SANGFOR SSL M6.8EN User Manual The following are the contents included on the Login Options page:  Minimize Resource page after login: Indicates that the resource page will not show up after user logs in to SSL VPN through the SSL VPN Client.
Page 78: Scenario3:Enabling Automatic Access Using Ssl Vpn Client
SANGFOR SSL M6.8EN User Manual shortcut icon. Scenario3:Enabling Automatic Access Using SSL VPN Client Navigate to Start>Programs>SSL VPN Client to start SSL VPN, as shown below: The first time user accesses the SSL VPN through browser, SSL VPN Client is installed on the user’s PC automatically.
Page 79 SANGFOR SSL M6.8EN User Manual Click the Connect button to enter the login page. On the login page, there are three tabs and contents on different tabs vary from authentication methods. For authentication based on username and password, select Account. The Account tab is as shown in the...
Page 80 SANGFOR SSL M6.8EN User Manual  Auto login: If it is selected, the user will connect to SSL VPN directly next time when start SSL VPN. This option works in association with the Remember me option. Please note that word verification must not be enabled; otherwise, auto-login feature will not take effect.
Page 81: Configuring Virtual Ip Pool
SANGFOR SSL M6.8EN User Manual The following are the contents included on the USB Key tab:  Address: Address of the SSL VPN.  Modify: Click this button to modify the address of SSL VPN.  PIN: Enter PIN of the USB key after inserting the USB key into PC’s USB port.
Page 82: Configuring Local Dns Server
When configuration is completed, apply the settings by clicking theApply button that appears after any change is made. The IP ranges should not cover IP address of any network interface of the Sangfor device, or conflict with IP address of any running machine in the local area network.
Page 83 SANGFOR SSL M6.8EN User Manual Configure the following under Local DNS:  Primary DNS: This is the primary local DNS server that is preferred to solve domain names.  Alternate DNS: This is the secondary local DNS server that is used to solve domain names when the primary DNS is unavailable.
Page 84 SANGFOR SSL M6.8EN User Manual To select all or deselect the selected the entries, click Select>All or Deselect. To delete or edit the domain name, select a domain name and click Delete or Edit. To add an entry, click Addend add enter the domain name of a resource, as shown below: Make sure that the address is in form of IP address when configuring the address of the resource (refer to the Resource sectioning Chapter 4).
Page 85: Configuring Sso Options
Domain supports wildcards * and?. * indicates any character string, while? indicates any character. For example, *.com stands for any domain name ending with .com. b?s.SANGFOR.com indicates that the second character of that domain name can be any character, such as bbs.SANGFOR.com.
Page 86 SSO Assistant.  Upload SSO Configuration File:It is used to upload the SSO configuration file into the Sangfor device. Browse and upload the configuration file (containing the recorded SSO information) to the device.
Page 87: Configuring Resourceoptions
SANGFOR SSL M6.8EN User Manual Only one type of users can configure SSO page on the Resource page, that is, the private users who have associated with the resources that have applied SSO. Configure Web SSO Options. There are three tabs under Web SSO Options, namely, Web SSO Encryption, Basic SSO and NTLM SSO.
Page 88: Web App Resource Options
IP address (to configure virtual IP address, refer to the Configuring Virtual IP sectioning Chapter 3). To have the connecting users take the IP address of the Sangfor device as the source address to visit the server resources, select Take device IP address as source.
Page 89: Tcp App Resource Options
SANGFOR SSL M6.8EN User Manual The following are the contents included on Add Rule page:  HTML Tag: Specifies the HTML tag used for rewriting webpage objects. Options are Object, Applet and Embed.  Object Identifier: Specifies the identifier (name) of this rule.
Page 90 IP address, refer to the Configuring Virtual IP sectioning Chapter 3). To have the connecting users take the IP address of the Sangfor device as the source address to visit the server resources, select Take device IP address as source.
Page 91: Background Knowledge: What Is Smart Recursion
SANGFOR SSL M6.8EN User Manual To add a URL address, click Add. The Add Address page is as shown below: To remove or modify the rule, select a rule and click Delete or Edit. To select all rules or deselect the selected rules, click Select>All or Deselect.
Page 92: L3Vpn Resource Options
SANGFOR SSL M6.8EN User Manual and databases. Purpose: Enable users to remotely and securely access the homepage of the library and the links to other servers and databases. Analysis and Solution: To meet the requirements, firstly create TCP resource(address of the resource is homepage of the library, www.library.com) and enable smart recursion, secondly configure smart recursion on Resource Options page.
Page 93: Other Resourceoptions
IP address of the Sangfor device or an assigned virtual IP address (refer to the Configuring Virtual IP sectioning Chapter 3). To have the connecting user take the IP address of the Sangfor device as the source address to visit the server resources, select Take device IP address as source.
Page 94 SANGFOR SSL M6.8EN User Manual (resource), as shown in the figure below: The following are the contents included on Others tab:  Page File: For users accessing unauthorized URL of Web application resource, upload a prompt page through Page File field. When any user accesses authorized URL, he/she will be notified that access is denied.
Page 95: Network Optimization Related Settings
SANGFOR SSL M6.8EN User Manual Network Optimization Related Settings Navigate to System>SSL VPN Options>Network Optimization and four pages are seen, namely, Application Access, Data Transfer, Webpage Access and Web Cache, which configure the optimization options in terms of data transfer, webpage access and Web cache.
Page 96: Data Transfer Optimization
SANGFOR SSL M6.8EN User Manual Data Transfer Optimization The Data Transfer page is as shown below: The following are the contents included on Data Transfer page:  Enable HTP: Select this option if the client end is in a wireless network or in poor network environment.
Page 97  Applying HTP needs the support of UDP port 443. If the Sangfor device is deployed in Single-arm mode, do remember to configure the front-end firewall to map this UDP port to the Sangfor device.
Page 98: Webpage Access Optimization
GZIP/ZLIB, as shown in the figure below: Webpage Access Optimization This kind of optimization utilizes system resources of the Sangfor device to handle images and therefore reduce data stream from/to public networks. It isan ideal feature for the users who are using PDA (Personal Digital Assistant) to access SSL VPN or the user’s computer is inpoor network.
Page 99 SANGFOR SSL M6.8EN User Manual The following are the contents included on Webpage Access page:  Enable webpage access optimization: It is a global switch for webpage access optimization. Select this option and webpage access optimization feature will be enabled.
Page 100 SANGFOR SSL M6.8EN User Manual  Adjust image quality: This option leads to quality deterioration of image (jpg image supported only), though ithelps to reduce the image data. Four options are available, namely, Smartly blurred, Slightly blurred, Blurred and Heavily blurred. This feature applies to .jpg images only.
Page 101: Web Cache
SANGFOR SSL M6.8EN User Manual The following are contents under Applicable Address of Webpage Access Optimization:  Applicable addresses: Ifthe addresses below is selected, only the access to the added URL addresses will be optimized. If other addresses rather than the ones below is selected, access to any other URL addresses (except the added addresses) will be optimized.
Page 102 SANGFOR SSL M6.8EN User Manual The following are the contents included on the Web Cache page:  Enable Web Cache: Select it to enable Web Cache.  Applicable Addresses: If The addresses below is selected, only the access to the added URL addresses will be optimized.
Page 103: User Logging In
SANGFOR SSL M6.8EN User Manual User Logging in This section covers configuration on three pages, Login Policy, Login Page and Icon. Configuring Login Policy Login policy is a kind of policy that not only sets the login page for connecting users at the client end but also specifies the default login method.
Page 104 SANGFOR SSL M6.8EN User Manual If anonymous logon is enabled, the default login method is not selective. If Users use different login pages is selected, a user/group can only use the designated login page to access SSL VPN. Please do the following: Click the Yes button to confirm choosing Users use different login pages as the policy selected.
Page 105 SANGFOR SSL M6.8EN User Manual Configure the following fields on the Add Login Policy page:  URL: Specifies the URL address of the homepage of SSL VPN. URL may contain https. By default, it contains https.  Description: Brief description of the user or group.
Page 106: Configuring Loginpage
SANGFOR SSL M6.8EN User Manual If Users use different login pages is the login policy, HTTPS port and multiline policy will be disabled. You can click the HTTPS Port and Multiline Policy links to enter the Login page to view HTTPS port settings and Multiline Options page to view the multiline settings respectively.
Page 107 SANGFOR SSL M6.8EN User Manual The following are the contents included in the above page:  Name: Indicates the name of this login page.  Description: Indicates the brief description of this login page.  Template File: Specifies the system template based on which the login policy will be configured. To view the thumbnail of the built-in page template, click View Thumbnails.
Page 108 SANGFOR SSL M6.8EN User Manual If By uploading custom page is selected, the contents are as shown in the figure below:...
Page 109 SANGFOR SSL M6.8EN User Manual The following are the contents included in the above page:  Name: Indicates the name of this login page.  Description: Indicates the brief description of this login page.  Page File:Upload a page file though this field. The file extension must be.zip. At the right side of the page, there are instructions on how to upload a page file and three sample page files available.
Page 110: Scenario 5: Assigning Login Page To Specific User Or Group
SANGFOR SSL M6.8EN User Manual after users log in to the SSL VPN. Maximum 1024 characters are allowed and HTML is supported. To preview the bulletin message, click Preview. Click theSave button to save the settings on this page. Scenario 5: Assigning Login Page to Specific User or Group...
Page 111 SANGFOR SSL M6.8EN User Manual Create two login policies named Market and Finance which are to be used by the users from corresponding departments (for detailed guide, refer to the Configuring Login Page sectioning Chapter 3). Configure the login policy for the Market department, as shown below:...
Page 112: Uploading Icon To Device
Except that configuration, images or icons are also needed in some other places. Such kinds of images used by Sangfor device could be uploaded to and managed on Sangfor device. Navigate to System>SSL VPN Options>Logging in>Icon to enter the Icon page, as shown in the figure...
Page 113: Clustering
Cluster enables multiple independent servers (nodes) to work as single system and be managed as a single system. A node (in fact, a Sangfor device) in a cluster may bea real server beingmanaged by one node master, or the dispatcher (a real server by nature).
Page 114 SANGFOR SSL M6.8EN User Manual respond to the user.  High availability  If a node gets into fault, this node will be removed from the available node list by the dispatcher when heartbeat detecting (a signal sent from LAN interface) timed out. The removal of this node from the available node list will only pose impact on the users that are being served by that node.
Page 115 With cluster being enabled, user can use any service provided by SSL VPN as long as at least one clustered Sangfor device keeps running. If useris using a static cluster IP address to access the services but that node gets...
Page 116: Deploying Clustered Sangfor Devices
For clustered nodes deployed in Single-arm mode, the configurations of internal and external interfaces are the same as those on an individual Single-arm Sangfor device (please refer to the Deployment sectioning Chapter 3). One additional configuration is Cluster IP Address of LAN interface (under System>SSLVPN Options>Clustering>Deployment).
Page 117: Deploying Clustered Device In Gateway Mode
LAN Cluster IP address on every clustered device should be identical; so is the WAN Cluster IP address.  WAN interface IP address on every clustered device should be of a same network segment; whereas WAN Cluster IP address and WAN Interface IP address configured on a Sangfor device must NOT be a same network segment. ...
Page 118: Deploying Clustered Device With Multiple Lines
For clustered nodes deployed with multiple lines, the configurations of internal and external interfaces are the same as those on an individual Sangfor device that has multiple lines (please refer to the Deployment sectioning Chapter 3). One additional configuration is Cluster IP Address of LAN interface and WAN interface (under System>SSLVPN Options>Clustering>Deployment).
Page 119 SANGFOR SSL M6.8EN User Manual Gateway-mode Sangfor Device with Multiple Lines Typical network topology of cluster of Gateway-mode devices is as shown in the figure below: Scenario 6: Configuring Newly-Joining Clustered Device Recalling from the above section, we know that cluster IP address for a newly-joining cluster needs to be configured.
Page 120 WAN1 Interface Gateway:Specifies the gateway of the WAN1 interface. Cluster IP address is a group of IP addresses of a cluster formed by more than one Sangfor devices, and will be launched to the external networks. These IP addresses configured on each clustered node must be consistent.
Page 121: Viewing Clusterednode Status
SANGFOR SSL M6.8EN User Manual Viewing Clustered Node Status Clustered node information includes IP address of clustered node, node type (dispatcher or real server), CPU utilization of node, number of licenses each node can grant, connecting users of each node, as well as total licenses and total online users.
Page 122 SANGFOR SSL M6.8EN User Manual locked users.  Search: To search for a specific user, enter the keyword into Search field and then click the magnifier icon or presenter key.
Page 123: Scenario 7:Configuring Clusteredsangfor Device
Cluster network topology of Sangfor devices in Gateway mode is as shown in the figure below: Configuration procedure is as follows: Deploy the Sangfor devices into the network as that shown in the figure above. Make sure that the dispatcher and real server can communicate with each other via their WAN interfaces and LAN interfaces.
Page 124: Configuring Clustered Device In Single-Arm Mode
Specify dispatcher. To set this Sangfor device as the dispatcher, select This device preferred to, in which case, the other nodes in this cluster will be a real servers. If you are not to set this SSL device as the dispatcher, select Elected by priority level and configure the priority level to have all the clustered nodes to compete for dispatcher.
Page 125 Configuration procedure is as follows: Deploy the Sangfor devices into the network as that shown in the figure above. Make sure that the dispatcher and real server can communicate with each other via their LAN interfaces. WAN interfaces need not be connected.
Page 126: Configuring Clustered Device In Gateway Mode (Multiple Lines)
On the real server: configure the LAN cluster IP address (192.168.1.1) and network mask (255.255.255.0).  LAN cluster IP address and the LAN interface IP address of any Sangfor device in the cluster must be of a same network segment.
Page 127: Configuring Clustered Device In Single-Arm Mode (Multiple Lines)
SANGFOR SSL M6.8EN User Manual Deploy the Sangfor devices into the network as that shown in the figure above, WAN2 and WAN2 interface connecting to the Telecom and Netcom links respectively. Make sure that the dispatcher and real server can communicate with each other via their WAN1, WAN2 and LAN interfaces.
Page 128 Configuration procedure is as follows: Deploy the Sangfor devices into the network as that shown in the figure above. Make sure that the dispatcher and real server can communicate with each other via their LAN interfaces. WAN interfaces need not be connected.
Page 129 Specify dispatcher. To set Sangfor device as the dispatcher, select This device preferred, in which case, the other nodes in this cluster will be real servers. If you are not to set this SSL device as the dispatcher, select Elected by priority level and configure the priority level to have all the clustered nodes to compete for dispatcher.
Page 130: Distributed Nodes
Distributed Deployment:global switch intended for enabling or disabling distributed deployment of SSL VPN system. To enable the distributed deployment, select Enabled.  Node Name: Specifies the name of the node (Sangfor device). After entering nodename, click the Check Validitybutton to check on the Web Agent whether this name is valid. ...
Page 131: Viewing Status Of Distributed Nodes
SANGFOR SSL M6.8EN User Manual and its connecting users use those IP addresses in that pool only. The user whologs in to a distributed nodewill use an IP address assigned from its specific IP address pool, which can eliminate the possibility that the IP addresses assigned to users of different nodes conflict.
Page 132: Chapter 4 Ssl Vpn
SANGFOR SSL M6.8EN User Manual Chapter 4 SSL VPN SSL Vancouver’s configurations of Users, Resources, Roles, Authentication, Policy Sets, Remote Servers and Endpoint Security. SSL VPN options are crucial, because they are the core of the entire SSL VPN system, in particular those in Users, Resources and Roles.
Page 133: Adding User Group
SANGFOR SSL M6.8EN User Manual To deselect entries, click Select>Deselect. To edit the attributes of a user or group, select the user or group and click Edit to enter the Edit User orEdit User Group page. Adding User Group Navigate toss VPN>Users>User Management page. Click Add>User Group to enter Add User Group page, as shown in the figure below: Configure Basic Attributes of the user group.
Page 134 SANGFOR SSL M6.8EN User Manual  Max Concurrent Users:Indicates the maximum number of users in this group that can concurrently access SSL VPN.  Status: Indicates whether this user group is enabled or not. Select Enabled to enable this group;...
Page 135 ID consequently. This hardware ID should be submitted to the Sangfor device and bind to the corresponding user account. Once administrator approves the submitted hardware ID, the user will be able to pass hardware ID based authentication when accessing SSL VPN through specified terminal(s).
Page 136 SANGFOR SSL M6.8EN User Manual If the user fails to receive any text message containing SMS password, he or she can click get again to get a new SMS password.  By default, SMS authentication will not be enabled if mobile number is not configured. SMS authentication comes into use only after, a).
Page 137 SANGFOR SSL M6.8EN User Manual Certificate/USB key+ SMS password/Hardware ID/Dynamic token External LDAP/RADIUS+ SMS password/Hardware ID/Dynamic token Local password+ Certificate/USB key+ SMS password/Hardware ID/Dynamic token External LDAP/RADIUS+ Certificate/USB key+ SMS password/Hardware ID/Dynamic token Associate policy set with user. A policy sets a collection of various access policies, which should be associated with user or group to control access to and use of SSL VPN (for details, refer to the Adding Policy Set section in Chapter 4).
Page 138 SANGFOR SSL M6.8EN User Manual Click Add to enter the Select Role page, as shown below: Select the checkbox next to the desired roles and click the OK button. The roles are added in to the Assigned Roles page, as shown below: Click the OK button and name of the assigned roles filled in the Roles field.
Page 139: Adding User
SANGFOR SSL M6.8EN User Manual  No user group can be added to Default Group or Anonymous Group.  Anonymous Group is a user group automatically created by the system while anonymous login is enabled. Adding User Navigate to SSL VPN>Users>User Management page. Click Add and select User to enter the Add User page, as shown in the figure below: Configure Basis Attributes of user.
Page 140 SANGFOR SSL M6.8EN User Manual  Local Password, Confirm:Enter the password of this user account.  Mobile Number: Enterthe mobile phone number of the user. If SMS authentication is applied to this user, mobile phone number must be specified so that user can get SMS password through text message.
Page 141 SANGFOR SSL M6.8EN User Manual appears: Click the Download button and select a path to save the certificate into the computer. File extension of the certificate is .p12. Generate USB key for the current user. Navigate to SSL VPN>Authentication>Authentication Options and click the USB Key Driver linkand USB Key Tool link to download and install USB key driver (file namesdkeydrv.cab) and USB key tool...
Page 142 SANGFOR SSL M6.8EN User Manual Above is one of thesolutions, using ordinary USB key, which records the digital certificate and writes it into the USB key. The other solution is to use driver-free USB key, which means that the connecting user can directly use the USB key without installing the USB key driver.
Page 143 SANGFOR SSL M6.8EN User Manual shown in the figure below: Assign virtual IP address to user. Virtual IP address will be assigned to connecting user automatically or manually when he or she connects to the SSL VPN. Select either Automatic or Specified to have the system assign an available virtual IP address to the connecting user randomly or specify a virtual IP address to the user.
Page 144: Searching For Users
SANGFOR SSL M6.8EN User Manual  Private user: Indicates that only one user can use the user account to log in to the SSL VPN at a time. If a second user uses this user account to connect SSL VPN, the previous user will be forced to log out.
Page 145: Managing Hardware Ids
SANGFOR SSL M6.8EN User Manual To filter users and view only one category of users, click column header Type, as shown below: Managing Hardware IDs Among the tools on User Management page, there is an item Hardware ID. Click it to enter the Hardware ID...
Page 146 SANGFOR SSL M6.8EN User Manual  Search: Use the search tool on the upper right of the page, to search for hardware ID based on username or hostname.  Import: Clickit to import hardware IDs by hand, as shown below: For the file format and the way of maintaining the file that contains hardware IDs, click the Download Example File linkto download a copy to the local computer and main the hardware ID as instructed.
Page 147: Importing User To Device
SANGFOR SSL M6.8EN User Manual Click the OK button and the name of the selected user group is filled in the textbox, as shown in the figure below: To also export the hardware IDs of the users that are included in the subgroups of the specified user group, select the checkbox next to Subgroup included.
Page 148: Importing Users From File
SANGFOR SSL M6.8EN User Manual Importing Users from File On the User Management page, select Import users from filet enter the User Management - Import Users from File page, as shown in the figure below: Select a way of importing.
Page 149  If the specified group does not exist, create it automatically: This happens if the Added to Group of some users in the CSV file does not match any of the user groups existing on this Sangfor device.  In case user already exists in local device: This means the imported user’s name conflicts with an existing user’s name.
Page 150 Password, Confirm and Mobile Number. These certificate users will inherit the attributes specified hereafter they are imported into the specified user group on this Sangfor device; otherwise, these certificate users will inherit the attributes of its parent group (specified by Added to Group), with description, password and mobile number being null by default.
Page 151: Importing Users From Ldap Server
SANGFOR SSL M6.8EN User Manual Click the Finish button to import the users. Importing Users from LDAP Server On the User Management page, select Import users from LDAP server, and the LDAP Server page appears, as shown in the figure below: Click Import Users to enter Import Users from LDAP Server page, as shown below: Configure the Import Users from LDAP Server page.
Page 152  If User Exists: This means name of LDAP user is the same as that of local user (on the Sangfor device). Select Go on importing user to overwrite the existing one to replace the existing user with the one that...
Page 153: Moving Users To Another Group
SANGFOR SSL M6.8EN User Manual Moving Users to Another Group On the User Management page, select the desired user/group(s) and click Move (on the toolbar) to enter User Groups page, as shown below: Select a user group to which the user/group(s) is added.
Page 154: Associating Roles With User
The exported user information includes username, group path, password (encrypted by an algorithm developed by SANGFOR), mobile number, virtual IP address, description and the time user logged in last time, as shown below: Associating Roles with User Navigate toss VPN>Users>User Management page and click More>Associate with role to enter the Roles...
Page 155: Configuring Sso User Account
SSO feature facilitates user to perform one-stop access to the resource that has enabled SSO. When the connecting user clicks on the resource name on the Resource page, he or she will directly visit that resource with the Sangfor device helping him or her submit the required credentials (username and password of the user account).
Page 156: Generating Multiple Certificates For Users
SANGFOR SSL M6.8EN User Manual Select the desired resource(s) to edit the SSO user account, as shown below: Enter the username and password of the SSO user account into the corresponding fields, and click the OK button. The newly created SSO user account is configured.
Page 157 SANGFOR SSL M6.8EN User Manual Select the desired users and click the Next button to create and generate multiplecertificates, as shown below: Configure the fields on the page. The following are the contents:  Configure the required fields, such as Country, State, City, Company, Department, ExpiredOn and Certificate Password.
Page 158: Creating Multiple Usb Keys For Users
SANGFOR SSL M6.8EN User Manual generating certificate for a bunch of similar users next time. Click Generate to generate certificates for the specified users one by one, as shown below: To save the certificate to the computer, click the Download Certificate button.
Page 159 SANGFOR SSL M6.8EN User Manual Select USB key type (take USB key containing digital certificate for example) and clickthe Next button, the next step is as shown below: Configure the required fields. Click the Create button and the process is as shown below:...
Page 160: Viewing Associated Resources Of User
SANGFOR SSL M6.8EN User Manual Every time when the process stops here, insert a physical USB key into the USB port of the computer, enter PIN and click the Create button to write information of the current user into the USB key.
Page 161: Scenario 8: Addinguser Loggingin Withlocal Password
SANGFOR SSL M6.8EN User Manual Scenario 8: Adding User Logging in with Local Password Navigate to SSL VPN>Users>User Management and click Add>User to enter the Add User page. Configure Name and Local Password fields. Configure Authentication Settings. Select Local password, as shown below: Click the Save button and Apply button to save and apply the settings.
Page 162 SANGFOR SSL M6.8EN User Manual Configure Name and Local Password fields. Select user type Private user. Configure Authentication Settings. Select primary authentication Certificate/USB key. Click the Generate Cert button (button name is Import Certificate when current CA is external CA)to enter the Generate Certificate page and generate certificate for this user, as shown in the figure below: Configure the required fields and click the Generate button.
Page 163 SANGFOR SSL M6.8EN User Manual 6. Click Download to save the certificate file support.p12 to the computer and send it to the end user. 7. End user installs the certificate on his/her computer, visit the login page and select Use Certificate login...
Page 164: Resources
SANGFOR SSL M6.8EN User Manual Resources The resources we are talking about in this user manual are the resources that can be accessed by specified users over SSL VPN. Resource type falls into Web application, TCP application, L3VPN and Remote Application. Navigate to SSL VPN>Resources and Resource Management page appears, as shown below:...
Page 165 SANGFOR SSL M6.8EN User Manual Configure Basic Attributes of the resource group. The following are the basic attributes:  Name, Description: Indicates the name and description of the resource group respectively. This name will be seen on Resource page after user logs in to the SSL VPN successfully.
Page 166: Background Knowledge: Load-Balanced Resource Access
SANGFOR SSL M6.8EN User Manual  A resource could be included in only one resource group.  Maximum 100 resource groups are supported. Click the Save button to save the settings. Background Knowledge: Load-Balanced Resource Access Assume that three resources named Web1, Web2 and Web3 are created based on three servers providing services, and are added into a new group Website homepage.
Page 167: Adding/Editing Web Application
SANGFOR SSL M6.8EN User Manual If the associated resource Website hompage_auto_balancer_rc of the role is assigned to users or groups, the first five connecting users will access the resource launched by Web1, the second five users access there source launched by Web2 and the third five connecting users access the resource launched by Web3. Through this way, load of the three servers is kept balanced (to associate resources with user or group, refer to the Role sectioning Chapter 4).
Page 168 SANGFOR SSL M6.8EN User Manual Application page, as shown below: Configure Basic Attributes of the Web application. The following are the basic attributes:  Name, Description: Indicates the name and description of the Web resource. This name may beseen on the Resource page after user logs in to the SSL VPN successfully.
Page 169 If resource address is domain name or hostname, add a host entry to map the domain name/hostname to the actual IP address (in System>Network>Hosts, refer to the Configuring Host Mapping Rule (HOSTS)sectioning Chapter 3), or configure the DNS server of the Sangfor device and ensure it can resolve the local domain names (in System>Network>Deployment).
Page 170 SANGFOR SSL M6.8EN User Manual After entering domain name into the Address field and completing the configuration, go to System>Network>Hosts and add a Host entry to map the domain name or host name to the IP address of the FTP server.
Page 171 SANGFOR SSL M6.8EN User Manual  The authorized administrators cannot edit the resource. They only have the right to assign this resource to users (in other words, to associate resources with the role under SSL VPN>Roles>Edit Role) and to grant other administrators (in its permitted realm) the privilege to manage this resource, rather than the privilege of editing the resource.
Page 172: Scenario 10: Adding Web Application
SANGFOR SSL M6.8EN User Manual Please note that their access control feature is only available while Web application type is HTTP, HTTPS or File Share. The other two types of Web application (MAIL and FTP) do not support this feature.
Page 173 SANGFOR SSL M6.8EN User Manual  http://mail.123.com: a mail system of the company. Server address is 192.168.1.12.  ftp://ftp.123.com: a file sharing system of the company. Server address is 192.168.1.13. Purpose: Enable employees to access these resources over SSL VPN, but no add-on needs to be installed.
Page 174 SANGFOR SSL M6.8EN User Manual Choose resource type MAIL, and enter the IP address of the SMTP server into the Address field and the domain name into Domain Name field. Configure other required fields. Click the Save button to save the settings.
Page 175: Scenario 11: Masquerading Resource Address
SANGFOR SSL M6.8EN User Manual corresponding resource link, as shown in the figure below: Scenario 11: Masquerading Resource Address Purpose: Conceal the IP address of the server that provides resource to users. Resource address masquerading only applies to HTTP, HTTPS, MAIL and FTP types of Web resources. Real addresses of File Share type of Web resources are visible to users.
Page 176: Scenario 12: Addingfile Share Type Of Web Resource
SANGFOR SSL M6.8EN User Manual Click the resource link to access the resource Web server. As shown in the figure below, the URL address of the visited resource is not the real address (200.200.72.60) but a meaningless character string. Scenario 12: Adding File Share Type of Web Resource Purposes: ...
Page 177 SANGFOR SSL M6.8EN User Manual On the Edit Web Application page, select File Share type of application and configure the other required fields, as shown below: On the Role Management page, click Add to add a role, as shown below: On theAdd Role page, select user ssl1 added in Step 1 and the resource Web file sharing to associate the resource with the user.
Page 178: Adding/Editing Tcp Application
SANGFOR SSL M6.8EN User Manual When the employee uses the user account ssl1 to connect to SSL VPN, he/she will see the Web file sharing resource link on Resource page, as shown in the figure below: Click on the resource link and the contents on the Web file sharing server and the available contents will be...
Page 179 Resource page after user logs in to the SSL VPN.  Type: Indicates the type of the TCP application. Some common types are built in the Sangfor device. This selection determines the port number entered in the Port field automatically. If the TCP application is not any of the built-in types, select Other and configure the port manually.
Page 180 SANGFOR SSL M6.8EN User Manual  Port indicates the port used by this TCP application to provide services. For built-in types of TCP applications, this port is predefined. For Other type of TCP application, enter the corresponding port number. ...
Page 181 SANGFOR SSL M6.8EN User Manual Invisibility here only means that the resource is not seen on the Resource page, in fact, it is still accessible to the user.  Enable resource address masquerading: To conceal the true IP address of the resource, select this option.
Page 182 SANGFOR SSL M6.8EN User Manual corresponding SSL VPN account and designated SSO user account to access this TCP resource over SSL VPN, other user accounts being unable to match the credential. Web application, TCP application and L3VPN support accounts binding.
Page 183 SANGFOR SSL M6.8EN User Manual corresponding resource would not be accessible to the user. To add crucial files, perform the following steps: Click the Select button next to Crucial Filet enter the Files page, as shown below: Click Add>Process related file to select the process (file extension is .exe).
Page 184: Scenario 13: Adding Tcp Application
SANGFOR SSL M6.8EN User Manual Scenario 13: Adding TCP Application Background: One DNS server and two servers are deployed in the enterprise network, providing services for the employees:  http://oa.123.com:anOA system. Server address is 192.168.1.10.  Accounting system: Server address is 192.168.1.15 and port is 4003, providing services such as pay rolling, payment claiming, etc.
Page 185 SANGFOR SSL M6.8EN User Manual Choose the application type Other and specify the address and port. Add or edit a role to associate the two resources (OA System and Accounting system)with it and assign the role to user (for detailed guide, please refer to the Adding Role section in Chapter 4).
Page 186: Scenario 14: Configuring Url Access Control Feature
SANGFOR SSL M6.8EN User Manual Scenario 14: Configuring URL Access Control Feature Background: A file server (duan.sslt.com)is deployed in the enterprise network, providing services for the employees. Purposes: Only allow the members from Finance department to access this file server, and only they, others directory of the file server being inaccessible, can access the directory duan.sslt.com/frame.
Page 187: Adding/Editing L3Vpn
SANGFOR SSL M6.8EN User Manual To access the frame directory, the employees needs only to click the URL access control link. Access to the upper-level directory will be denied. Adding/Editing L3VPN L3VPN is a type of resource based on IP protocol, allowing end users to use C/S-based and TCP/UDP/ICMP-based application on their computer to remotely access corporate resources and servers over SSL VPN.
Page 188 Resource page after user logs in to the SSL VPN successfully.  Type: Indicates type of the L3VPN. Some common types are built in the Sangfor device. This selection determines the port number entered in the Port field automatically. If the L3VPN is not any of the built-in types, select Other and configure the port by hand.
Page 189 SANGFOR SSL M6.8EN User Manual defining.  If resource address is domain name, navigate to System>SSL VPN Options>General>Local DNS to configure local DNS server (for detailed guide, refer to the Configuring Local DNS Server section in Chapter 3).  Program Path: Indicates path of the client software program that may be used by some C/S application.
Page 190 SANGFOR SSL M6.8EN User Manual If Verify user by analyzing packet is selected, the SSL VPN account will bind to the account for resource access; in the way, that packet is obtained as specified according to Packet Format and the others settings.
Page 191: Scenario 15: Adding L3Vpn
If the subnet resources do not reside in the same network segment as the LAN and DMZ interface of the Sangfor device, which means, there is layer-3 router or switch on the way, add the subnet on the Local Subnets page (under System>Network) and a corresponding route on Routes page (under System>Network) to...
Page 192 Add or edit a role to associate All subnet L3VPN resources with the senior managers. There is no need to create this resource, because All subnetL3VPN resources is built in the Sangfor device. Click the Apply button to apply the settings.
Page 193: Adding/Editing Remote Application
SANGFOR SSL M6.8EN User Manual Adding/Editing Remote Application Remote applications are applications launched by remote servers and accessed by end users over SSL VPN. User runs the program on the local computers but access the data on the remote server in the remote application session.
Page 194: Scenario 16: Adding Remote Application
SANGFOR SSL M6.8EN User Manual Configure Authorized Admin tab. Specify the administrators who will have the right to manage this resource and the right to grant other administrator the privilege to manage this resource. 5. Configure SSO License tab. At the same time administrator to record a SSO of login information, then after the user logs VPN, remote access to the appropriate application of resources, the completion of the corresponding single sign-on process.
Page 195 SANGFOR SSL M6.8EN User Manual To achieve the expected purpose: Navigate to SSL VPN>Remote Servers to enter the Remote Server Management page and click Download Remote App Agent to download the Remote App Agent program. Double-click the executable file named SFRemoteAppServerInstall.exe and follow the instructions to install the Remote App Agent, as show in the figure below: Navigate to SSL VPN>Remote Servers to enter the Remote Server Management page and configure a...
Page 196 Server section in Chapter 4). Configure admin account, password, and other required fields and make sure the application server can connect to the Sangfor device. You can click the Test Connectivity button to check whether this remote application server can be connected.
Page 197 SANGFOR SSL M6.8EN User Manual If the following prompt appears, the SSL VPN cannot connect to remote application server. In that case, check whether the remote server is configured properly. Under Remote Application Programs, click Select from Sever to select the application program WordPad,...
Page 198 SANGFOR SSL M6.8EN User Manual 13. Click theOK button to save the settings and the program name is seen in the Program field: 14. In the App Server tab, select an application server to publish WordPad. 15. Click the Save button on Edit Remote Application Resource page and then click the Apply button on the next page.
Page 199: Exporting Resources
Exporting Resources This feature helps export the existing resources from the current Sangfor device to the computer. Navigate to SSL VPN>Resources > Resource Management and click More>Export resource to enter the...
Page 200: Importing Resources
Click the Export button. By default, the exported resource will be saved in a csv file named rclist.csv. Importing Resources This feature helps import resources from the computer to the Sangfor device. Navigate to SSL VPN>Resources>Resource Management and click More>Import resource to enter the...
Page 201: Sorting Resources
SANGFOR SSL M6.8EN User Manual file. After editing the csv file, upload it through the above page.  Customize resource attributes: The two fields below it define the attributes of the imported resources, the description and the target group to which they are to be added.
Page 202: Roles
SANGFOR SSL M6.8EN User Manual Roles A role is an intermediate that builds a connection between user/group and resource, more specifically, designates internal resources to user or group. Users can only access the designated internal resources over SSL VPN. This kind of association enables one or multiple users or groups to associate with one or multiple resources, facilitating control over users’...
Page 203 SANGFOR SSL M6.8EN User Manual Configure the Basic Attributes of the role. The following are basic attributes:  Name: Configures name of the role.  Description: Configures description of the role.  Assigned To: Configures the user and/or group that can access the associated resources. To specify user...
Page 204: Getting Privilege Report
SANGFOR SSL M6.8EN User Manual security check, he or she cannot access the associated resources. To specify a role-level policy, click the Select Role-level Policy button and all the predefined role-level policies are seen (to configure role-level policy, refer to the Adding Role-level Policysectioning chapter 4), as shown in the figure below: Configure associated resources.
Page 205 SANGFOR SSL M6.8EN User Manual Select the type of report you want to generate. There are two types of privilege reports, User-based report and Resource-based report. The former type of report presents what internal resources the selected users can access, while the latter type of report presents what users can access the selected resources To generate user-based privilege report, perform the following two steps: Select User-based report…...
Page 206 SANGFOR SSL M6.8EN User Manual To generate resource-based privilege report, perform the following two steps: Select Resource-based report… and click the Next button, as shown below: Select the desired user(s) and click the Finish button to download the .csv file. The download...
Page 207: Authentication Options
SANGFOR SSL M6.8EN User Manual Authentication Options Authentication Options covers settings related to primary and secondary authentication methods. Navigate to SSL VPN>Authentication and the Authentication Options page appears, as shown in the figure below:...
Page 208: Primary Authentication Methods
SANGFOR SSL M6.8EN User Manual Primary Authentication Methods There are four primary authentication methods, namely, local password based authentication, LDAP authentication, RADIUS authentication and certificate/USB key based authentication. Local Password Based Authentication The settings related to local password based authentication include password security options and username options.
Page 209: Ldap Authentication
Username Options: If the option Ignore case of username is selected, case of username would be ignored when users enter credentials to log in to SSL VPN. Password Security Options and Username Options only apply to the user accounts in local Sangfor device. LDAP Authentication Sangfor device supports third-party LDAP server to verify the users connecting the SSL VPN.
Page 210 SANGFOR SSL M6.8EN User Manual Configure the Basic Attributes of the LDAP server. The following are basic attributes:  Server Name, Description: Configures the name and description of the LDAP server.  Server Address: Configures the usable IP address and port of the LDAP server. You can add multiple IP addresses and ports.
Page 211 Configure Group-Mapping tab. Group mapping only applies to the LDAP users that have not been imported to the Sangfor device. The users in specified OU on the LDAP server will be mapped to a local group after successful login, and therefore have...
Page 212 SANGFOR SSL M6.8EN User Manual The following are contents included on the Group Mapping tab:  Add: To add a group mapping rule to map specified LDAP users to the local group, clickitto enter the Add Group Mapping Rule page, as shown in the figure below: ...
Page 213 SANGFOR SSL M6.8EN User Manual Click Automatic Mapping to enter the Auto Create Group Mapping Rule – Step 1: Select OUpage, as shown below: Select a mapping method, Mapping for each selected OU or Mapping for selected top-level OU, and then select the organizational units (OU).
Page 214 Configure Role Mapping tab (if you are adding an MS Active Directory server). Role Mapping helps map the security groups from the MS Active Directory server to the roles on this Sangfor device. Once a user matches certain role-mapping rule and is mapped to the role on the Sangfor device, the associated user will be permitted to access the resources that are associated with that role.
Page 215 SANGFOR SSL M6.8EN User Manual to Role fields, as shown below:  Delete: To delete a role mapping rule, select the rule and click Delete.  Edit: To edit a role mapping rule, select the rule and click Edit. ...
Page 216 The option Attribute names of associated resources only applies to the LDAP users who do not have a corresponding account on the Sangfor device. For the LDAP users that already exist on the User Management page (under SSLVPN>Users), this option is invalid.
Page 217: Radius Authentication
Click the Save button and thenthe Apply button to save and apply the settings. RADIUS Authentication Sangfor device supports third-party RADIUS server to verify the users connecting the SSL VPN. Configuring RADIUS Server Navigate to SSL VPN>Authentication to enter Authentication Options page. Click the Configure button...
Page 218 SANGFOR SSL M6.8EN User Manual 10. Configure the Basic Attributes of the RADIUS server. The following are basic attributes:  Server Name, Description: Configures name and description of the RADIUS server.  Server Address: Configures the usable IP address and port of the RADIUS server. You can add multiple IP addresses and ports.
Page 219 12. Configure Group Mapping rule. The users with specified class attribute will be mapped to the corresponding group on the Sangfor device after successful login, and therefore have the same privilege as the users underthe group to which they are mapped.
Page 220: Certificate/Usb Key Based Authentication
13. Click the Save button and then the Apply button to save and apply the settings. Certificate/USB Key Based Authentication Sangfor device not only supports built-in CA, but also supports external CA and can offer some certificate information. Certificates could be generated and configured through the Certificate/USB Key Based Authentication page.
Page 221: Local Ca (Rsa Encryption Standard Based)
SANGFOR SSL M6.8EN User Manual The above figure shows the contents on the Certificate/USB Key Based Authentication page when the current CA is external CA. If the current CA is local CA, theca Options and Online Certificate Status Protocol (OCSP) part will be absent.
Page 222 SANGFOR SSL M6.8EN User Manual Click Update to entry create certificate for enterprise users, as shown in the figure below: Select Key Encryption option, available to choose for RSA Encryption Standard (Standard International Encryption)& SM2 Encryption Standard (Standard China Encryption).RMA password range able to select 1024/2048/4096, SM2 password range only can select 256.
Page 223: External Ca
SANGFOR SSL M6.8EN User Manual External CA Click the Add to entry External CA, as shown in the figure below: Import External CAand configure CA name, as shown in the figure below: Browse and select a CA root certificate from the computer. Certificate file extension should be .crt, .cer or .p7b.
Page 224 SANGFOR SSL M6.8EN User Manual  Username Attr: This is a certificate issued by the CA, store the user name field; the user name is display in the main interface on the client, supported CN, Email and OID.  Binding Field: when you import the CA certificate issued to the local user certificate field bound.
Page 225 SANGFOR SSL M6.8EN User Manual If Trust the users who have imported certificate issued by current is selected, only after the users certificates have been imported to the Sangfor device can they use their own certificates to log in to the SSL VPN.
Page 226 SANGFOR SSL M6.8EN User Manual  Certificate DN: Configures DN of certificate, whichcan be referred to in certificate subject.  Map to Group: Configures the local group to which the certificate users will be mapped if their certificates have the configured DN.
Page 227 Enable OCSP: Select this option and OCSP will be enabled and related options will appear.  Server Address, Server Port: Configure the address and port of OCSP server that provides OCSP service.  Authentication required: Select this option and the OCSP server will verify identity of the Sangfor device.
Page 228: Configuring Usb Key Model
Under Supported USB Key Model, configure the model of third-party USB keys that can be identified by the Sangfor device while USB key of this model is plugged in to the end user’s PC. Unplugging key will lead to automatic logout.
Page 229: Scenario 17: Using Externalca Root Certificate To Generatedevice Certificate
Certificate Purpose: Import and use the external CA root certificate to generate certificate for the Sangfor device, so that end users can pass certificate based authentication when logging into the SSL VPN if they own certificates issued by that external To achieve the expected purpose: Navigate to SSL VPN>System>Device Certificate, as shown in the figure below:...
Page 230 Configure the required fields. In this scenario, country is CN (China), state is GD (Guangdong), city is SZ (Shenzhen), company is Sangfor, department is SUPPORT, email address is support@sangfor.com, and the certificate is issued to the login page (address is 10.111.111.3) to the administrator Web console of Sangfor device.
Page 231: Scenario 18: Mapping User To Local Group Based On External Certificate
SANGFOR SSL M6.8EN User Manual Get the Sangfor device certificate from the external CA. Navigate to SSL VPN>System>Device Certificate againand click the Process Pending Request link to process the pending request, as shown below: Select the Process pending request and install certificate option and click the Next button to proceed, as shown below: 10.
Page 232 Firstly, we need to configure external CA and use the CA to generate certificate, so that users canuse third-party certificate to log into the SSL VPN. Secondly, we need to map the certificate users to the user group on Sangfor device, so that they can be granted with the same privilege as the users under the target group.
Page 233 SANGFOR SSL M6.8EN User Manual Configure two mapping rules, one rule mapping LDAP ou1 to the local group ou1, and the other mapping LDAP ou2 to the local group ou2, as shown in the figures below:...
Page 234 SANGFOR SSL M6.8EN User Manual Navigate to SSL VPN>Roles, create two roles and associate the local groupsou1 and ou2 with different resources (for detailed guide, please refer to the Adding Role sectioning Chapter 4). Save the setting and then click the Apply button when configuration is completed.
Page 235 SANGFOR SSL M6.8EN User Manual  Domain Name: Used to set the Windows domain name  Short Domain Name: Used to set the short name of Windows domain  Domain Controller Name: Used to set Windows Controller Name  Domain Controller IP: Used to set Windows domain controller IP address ...
Page 236: Secondary Authentication Methods
SANGFOR SSL M6.8EN User Manual Secondary Authentication Methods There are three secondary authentication methods, namely, authentication, Dynamic Token based authentication and Hardware ID based authentication. SMS Authentication SMS authentication is a type of authentication method that requires connecting user to enter the received SMS password when he/she is logging in toad has passed the primary authentication(s).
Page 237: Using Built-In Sms Module To Send Sms Message
Insert the SIM card of a cellular phone into the GSM modem. Use the serial cable (one end is male connector and the other end is female connector; attachment of Sangfor device when product is delivered) to connect the GSM modem to the CONSOLE interface on the rear panel of the Sangfor device.
Page 238 Select COM0 as the COM Port. Configure Baud Rate (of the serial port) for communication between the Sangfor device and the GSM modem. It is 9600 by default. Change this value to keep it relevant to the GSM modem being used.
Page 239: Using External Sms Module To Send Sms Message
To use GSM modem as the way to deliver SMS message, prepare a GSM modem and a computer (SMS server) that has COM port and has installed the SMS software provided by SANGFOR. What should be noted is that they may not work if the facilities are placed in a machine room where electromagnetic shielding measures may be taken.
Page 240 Authentication to configure SMS authentication.  SMS Center IP: Enter the IP address of the SMS server into the field. Make sure the Sangfor device and SMS server can communicate with each other, that is, the Sangfor device is connected to the SMS server.
Page 241 SANGFOR SSL M6.8EN User Manual Add or edit user. Configure the mobile number, select user type Private user, and select secondary authentication SMS password, as shown in the figure below: End user logs in to the SSL VPN. After passing the primary authentication, user will be asked to enter the...
Page 242: Using Sms Gateway Of Isp To Send Sms Message
Using SMS Gateway of ISP to Send SMS Message If the enterprise network is already deployed with SMS gateway of ISP, such as China Mobile, China Unicom, no other facility is needed except the Sangfor device. Configure the following: ...
Page 243: Dynamic Token Based Authentication
SANGFOR SSL M6.8EN User Manual The following are the contents included on Hardware ID Based Authentication page:  Collect hardware ID only: If this option is selected, hardware IDs of endpoint computers will be collected, but hardware ID based authentication will not be enabled.
Page 244: Other Authentication Options
SANGFOR SSL M6.8EN User Manual To go to RADIUS Server page to configure RADIUS server, click the Yes button. For procedures of configuring RADIUS server, please refer to the RADIUS Authentication sectioning Chapter 4. Other Authentication Options This section includes configurations of...
Page 245: Password Security Options
SANGFOR SSL M6.8EN User Manual is matched. If no account is matched eventually, user authentication will fail. To adjust order of an external authentication server, select the server and click Move to Top, Move Up, Move Down or Move to Bottom.
Page 246: Anonymous Login
SANGFOR SSL M6.8EN User Manual  Brute-force Login Prevention: This security feature enables the system to take actions to stop brute-force login attempt. If user fails to log in many times, the login IP address or the user account would be lockedup or word verification be enabled for a period of time.
Page 247 SANGFOR SSL M6.8EN User Manual  Enable, Disable: If Disable is selected, no user could log in to the SSL VPN anonymously. If Enable is selected, anonymous login is enabled, and end users can access the SSL VPN anonymously, simply by clicking the Anonymous button on the login page, as shown below: ...
Page 248: Policy Sets
SANGFOR SSL M6.8EN User Manual Policy Sets A policy sets a collection of policies controlling end user’s access to SSL VPN, rights at client end, and access rights on Security Desktop, including settings of Client, Account, SecureDesktop and Remote Application.
Page 249: Adding Policy Set
SANGFOR SSL M6.8EN User Manual Adding Policy Set Navigate to SSL VPN > Policy Sets and click Add > Policy set-to enter the Add Policy Set page, as shown below: Specify the name and descriptive information for the policy set.
Page 250 SANGFOR SSL M6.8EN User Manual function avoids the situation that some users preempt most of the HQ bandwidth with insufficient bandwidth left for others. Unchecking it means no limit on bandwidth used at client end.  Preferred to enable byte cache: Check it to have the corresponding user preferentially enjoy the speedup of file access or downloading when the number of concurrent users reaches the maximum.
Page 251 SANGFOR SSL M6.8EN User Manual resource, and specify valid period only during which user is allowed to login, maximum number of days required for a user account to be disabled due to not being used, and user idle timeout after login.
Page 252 SANGFOR SSL M6.8EN User Manual allow private user to modify the password, description and mobile phone number. If a private user is allowed to modify the password, description and mobile number, the user can click Settings (at upper right of the page) to modify its password, description and mobile number after logging in to SSL VPN.
Page 253: Scenario19: Configuring Secure Desktop
SANGFOR SSL M6.8EN User Manual Select the desired directory to store files on a remote server, including [private directory] and [public directory] Click Save to save the settings or Cancel notto save the settings. To have settings take effect, click the Applybutton at upper right of the next page.
Page 254 SANGFOR SSL M6.8EN User Manual Enter a name and description for the policy set and click Secure Desktop to enter the Secure Desktop tab, as shown below: Check the Enable Secure Desktop option to enable Secure Desktop, and all the options displayed on the Secure Desktop tab are available.
Page 255 SANGFOR SSL M6.8EN User Manual Configure Accessible Subnets to have the 192.168.1.1-192.168.1.254 subnet accessible to users after they log in to SSL VPN. Click Add to enter the Add Subnet page, and then enter 192.168.1.1 and 192.168.1.254 respectively, as shown below: Click theOK button and the subnet is added into the list.
Page 256 SANGFOR SSL M6.8EN User Manual Under Policy Set, click on the textbox to enter the Policy Set page, select the policy set Security and click the OK button, as shown below: Check Enforce its users/subgroups to inherit the policy set to have all the subgroups and users under the Default Group associate with the policy set Security as well or uncheck it to only have the Default Group itself and its direct users associate with the policy set.
Page 257 SANGFOR SSL M6.8EN User Manual 10. Associate the policy set Security with the user named Guest. Navigate to the SSL VPN > Users > User Management page, select the user Guest and click Edit to enter the Edit User page, as shown below: Uncheck Inherit parent group’s attributes to have the user associate its own policy set and...
Page 258 SANGFOR SSL M6.8EN User Manual Click the Save button and then the Apply button to save and apply the settings. 11. End user logs in to SSL VPN. The minute he or she connects to SSL VPN. The required components will be automatically installed on user computer and Secure Desktop will start initializing, as shown below: After SecureDesktop initialization, the taskbar button Switch to Secure Desktop will be displayed on taskbar.
Page 259: Remote Servers
SANGFOR SSL M6.8EN User Manual Remote Servers Remote server falls into application server and storage servers. Remote application servers are servers providing remote applications to SSL VPN users. After connecting to SSL VPN, users can use the remote applications even though they have not installed the corresponding application programs on their local computers.
Page 260: Adding Remote Application Server
Server Address: Enter the IP address of the remote application server that theSangfor device will connect to.  Server Port: Specify the communication port of the remote server, through which the Sangfor device will connect to. It is 7170 by default. ...
Page 261 SANGFOR SSL M6.8EN User Manual application server.  Status: Select whether to enable the current remote server. Select and add the application programs under Remote Application Programs.  To select application programs already available on the server, click Select from Server to open the following page, as shown below: ...
Page 262: Adding Remote Storage Server
Configure Basic Attributes of the storage server. The following are the basic attributes:  Server Name, Description: Enter a name and description for theremote storage server.  Server Address: Enter the IP address of the remote storage server that the Sangfor device will connect...
Page 263 SANGFOR SSL M6.8EN User Manual  Server Port: Specify the communication port of the remote storage server, through which the Sangfor device will connect to. It is 7170 by default.  Admin Account: Enter the administrator name for logging into the remote storage server.
Page 264 SANGFOR SSL M6.8EN User Manual Click Save and then Apply to save and apply the settings.
Page 265: Endpoint Security
(refer to the Configuring Advanced Policy Settings sectioning Chapter Security Rules Security rule defining on the Sangfor device falls into two phases, the first phase is to predefine the rules that cannot be referenced directly by any security policy and should be combined with other basic rules and/or combined rules to form a “real”...
Page 266: Predefining Basic Rule
SANGFOR SSL M6.8EN User Manual The following are the contents included on Rule Predefining page:  Name: Indicates name of the rule.  Type: Indicates type of the rule, basic rule or combined rule.  Inspected Object: Indicates the object that will be checked if the connecting user does not satisfy the object restriction.
Page 267 SANGFOR SSL M6.8EN User Manual Configure the following fields on the above page.  Rule Name: Configures the name of the basic rule. The rule name will be seen in a prompt when user fails to pass the authentication check.
Page 268 SANGFOR SSL M6.8EN User Manual  File: If the inspected object is File, the options related to file will appear, as shown below: The following are the contents under File:  Specified file exists on user’s PC: If this option is selected, the specified file must exist on the hard disk of user’s computer.
Page 269 SANGFOR SSL M6.8EN User Manual Click the Check ActiveX Status button to check if WebUI Ctrl has been installed. If not installed, click the Install button to enter another page and follow the pop-up prompt to install the ActiveX control.
Page 270 SANGFOR SSL M6.8EN User Manual The following are the contents under Process:  Specified process must be running: If this option is selected, the specified process must exist on user’s computer before and/or after user logs in to the SSL VPN or resource. Otherwise, authentication check will fail.
Page 271 SANGFOR SSL M6.8EN User Manual The following are the contents under Registry:  Specified item exists in registry: If this option is selected, the specified item must exist in the registry of user’s computer before and/or after user logs in to the SSL VPN or resource. Otherwise, authentication check will fail.
Page 272 WAN Interface IP:If the inspected object is WAN Interface IP, the contents are as shown below: IP Address: Specifies the IP address of the WAN interface on Sangfor device. End user can connect to SSL VPN only through this WAN interface.
Page 273: Predefining Combined Rule
SANGFOR SSL M6.8EN User Manual connecting user must have at least one of the hardware IDs. Otherwise, authentication check will fail. To view the hardware IDs in descending or ascending order by hardware ID, hostname or MAC address, click on the column header, Hardware ID, Hostname or MAC Address respectively.
Page 274 SANGFOR SSL M6.8EN User Manual  Name: Configures the name of the combined rule.  Description: Configures the description of the combined rule. Click Select Rule to enter the Select Rule page and specify the basic rules that this combined rule will include.
Page 275: Configuring Security Rule
SANGFOR SSL M6.8EN User Manual Configuring Security Rule Security rule consists of basic rules and/or combined rules. When the connecting user satisfies one of these basic or combined rules, the security rule is matched. If the connecting user satisfies none of the basic or combined rules, the security rule will not be matched and user will fail the authentication check.
Page 276: Security Policy
SANGFOR SSL M6.8EN User Manual Click the OK button to close the above page. Click the Save button and then the Apply button to save and apply the settings. The rules in the security rule are with OR logic. If any of the basic or combined rules is satisfied, the security rule is matched.
Page 277 SANGFOR SSL M6.8EN User Manual If user fails the security check, he or she will be informed of the security policy that makes him or her fail the security check, as shown in the figure below Role-level policy is applied to roles that are associated with users, and checks the endpoint when the associated users access SSL VPN (pre-authentication check) or are accessing to the resource (post-authentication check).
Page 278 SANGFOR SSL M6.8EN User Manual In case that a user is tied to a user-level policy and its associated role is tied to a role-level policy, when the user connects to SSL VPN, he/she goes through user-level security check first. If user fails the user-level security check, he/she cannot log in to the SSL VPN.
Page 279: Adding User-Level Policy
SANGFOR SSL M6.8EN User Manual  Applicable User/Group: Select and click a user-level policy to view the user and/or group to which this policy is applied. You can also selectmore users or remove user from the list. Adding User-Level Policy Navigate to SSL VPN>Endpoint Security>Policies to enter the User-level Policypage andclick Add, as...
Page 280 SANGFOR SSL M6.8EN User Manual To search for certain group, enter the group name into the Search filed on the left pane, and click the magnifier icon . The user group will be highlighted in bold if found. To search for certain user, enter the user name into the Search filed on the right pane, and click the...
Page 281: Adding Role-Level Policy
SANGFOR SSL M6.8EN User Manual Click the Savebutton to save the setting. Adding Role-level Policy Navigate to SSL VPN>Endpoint Security>Policies>Role-level Policy page and click Add, as shown below: Configure the Basic Attributes of the role-level policy. The following are basic attributes: ...
Page 282 SANGFOR SSL M6.8EN User Manual To select and add role, click Add to enter the Select Role page, as shown below: Select the desired roles and click the OK button, and the selected roles are added to the assigned roles list,...
Page 283 SANGFOR SSL M6.8EN User Manual To remove a role from the list, select the role and click Delete. To add more roles, click Add again, select and add other roles into the list. To save the settings, click the OK button.
Page 284: Configuring Advanced Policy Settings
SANGFOR SSL M6.8EN User Manual Configuring Advanced Policy Settings As mentioned above, there are pre-authentication check and post-authentication check. Post-authentication is conducted periodically after user’s login to SSL VPN or access to resource. The following are the contents included on Advanced Settings page: ...
Page 285: Built-In Rules Update
Built-in Rules Update Built-in rules are a set of rules provided by SANGFOR, more specifically, a database of commonly-used security rules that will be updated periodically. Navigate to SSL VPN>Endpoint Security>Built-in Rules Update, and the Update of Built-in Rule Database...
Page 286 Install Rule Update Package: Browse and load the rule update package through From File field, and then click the Upload and Install button. Before browsing the update package from the PC, administrator needs to click the Download link and go to the SANGFOR official website to download the update package by hand. ...
Page 287 SANGFOR SSL M6.8EN User Manual  Auto-Update Options: Select Enable auto-update and specify the link to the update server, and the Sangfor device will check for updates on the specified update server to update the built-in rules automatically.  Save: Click this button to save the settings.
Page 288: Chapter 5 Firewall
Navigate to Firewall > Service to enter the Services page, as shown below: For example, to configure filter rules on Sangfor device to filter the service data of SQL server, you need first define the protocol and port used by the SQL server.
Page 289: Defining Ip Group
SANGFOR SSL M6.8EN User Manual Defining IP Group IP groups are predefined objects that can be referenced by firewall rules, as source or destination IP address. To view and define IP group, navigate to Firewall > IP Group to enter the IP Group page, as shown below: For example, to configure filter rules specific to the data requested from the 192.168.1.0/24 subnet, you need first...
Page 290: Defining Filter Rule
IP address and destination IP address. The filter rules cover the rules applied to access to the local Sangfor device, and rules applied to access among four interfaces (LAN, DMZ, WAN, VPN interfaces), including the following directions: LAN<->DMZ, DMZ<->WAN, WAN<->LAN, LAN<->LAN, DMZ<->DMZ, VPN<->WAN and VPN<->LAN.
Page 291: Scenario 20: Configuring Lan<->Dmz Filter Rules
VPN<->LAN: Defines the filter rules applied to data access between the VPN interface and LAN interface of the Sangfor device. There are six filter rules built in each Sangfor device, which allow all TCP, UDP and ICMP data from VPN interface to LAN interface and from LAN interface to VPN interface.
Page 292 Archive logs: Select it to enable the corresponding firewall log, and the system will record the logs if the data packets matching this filter rule go through the Sangfor device. Generally, it is recommended to uncheck this option to avoid massive logs.
Page 293 SANGFOR SSL M6.8EN User Manual 3. Configure a filter rule applicable to data sent from DMZ to LAN, as shown below: 4. Click Save to save the settings.
Page 294: Scenario 21: Configuring Lan<->Vpn Filter Rules
SANGFOR SSL M6.8EN User Manual Scenario 21: Configuring LAN<->VPN Filter Rules Background:  The branch (172.16.1.0/24) has established VPN connection with the Headquarters.  There is a server (192.168.10.20) located at Headquarters, providing Web service and SQL SERVER service. Purpose: ...
Page 295 SANGFOR SSL M6.8EN User Manual 3. Configure the filter rule for Web service, as shown below:...
Page 296 SANGFOR SSL M6.8EN User Manual 4. Configure the filter rule for SQL Server service, as shown below: To implement control over HQ employees’ access to other services provided by the branch or over branch employees’ Internet access through HQ, configure the corresponding filter rules to filter data sent between two...
Page 297: Configuring Nat Rule
Sangfor device will not only provide the basic NAT function, but control (allow/deny) the data packets requested from LAN users for Internet access, in cooperate with the filter rules. By default, there is no SNAT rule configured on the Sangfor device. If any SNAT rule is needed, configure the SNAT rule according to the specific case.
Page 298 SANGFOR SSL M6.8EN User Manual To achieve the expected purpose: 1. Navigate to Firewall > NAT > SNAT Rule, and click Add to enter the Edit DNAT Rule page, as shown below...
Page 299: Configuring Dnat Rule
SANGFOR SSL M6.8EN User Manual 2. Configure the SNAT rule as shown in the figure above, ingress interface being VPN and source address being the LAN subnet of the branch. 3. Click the Save buttons to save the settings. Configuring DNAT Rule The DNAT Rule page, as shown below, enables you to configure the Destination Network Address Translation (DNAT) rules required if servers located in LAN provide services to the Internet.
Page 300: Scenario 23: Adding Dnat Rule
SANGFOR SSL M6.8EN User Manual Scenario 23: Adding DNAT Rule Background: There is a LAN server (IP address: 192.168.10.20) providing Web service through the port 80. Purpose: Configure a DNAT rule to publish the Web service to the Internet on port 80, so that Internet users can access the Web service.
Page 301: Configuring Ip/Mac Binding
Therefore, when an unknown internal machine connects to the Sangfor device, it cannot access the Internet through the Sangfor device if the IP address and MAC addresses are not in the IP/MAC binding list. If the MAC address of a certain IP address is found inconsistent with that in the IP/MAC binding list, the Sangfor device will also deny its request for Internet access.
Page 302 For IP address already in the IP/MAC binding list, the Sangfor device will check whether its MAC address matches that in the list (on the condition that the IP/MAC binding function is enabled). If yes, the corresponding user can access the Internet;...
Page 303: Configuring Http Port
The HTTP Port page enables you to define the HTTP service port. By default, it is port 80. If the Enable URL access option is selected in Firewall > NAT > Access Right > Access Right of Local Users, the Sangfor device will record the information of the URL accessed by users through port 80 and filter the URL information sent through port 80.
Page 304 SANGFOR SSL M6.8EN User Manual Navigate to Firewall > NAT > URL Group to enter the URL Group page, as shown below: To add a URL group: 1. Click Add to enter the Edit URL Group page, and then enter a name and description for the URL group, as shown below: 2.
Page 305: Defining Wan Service
SANGFOR SSL M6.8EN User Manual Defining WAN Service WAN services are services provided by external networks, which are initially accessible to LAN users if they can connect to the external network. However, access to WAN services can also be restrained by the WAN service entry configured on the Sangfor device.
Page 306 SANGFOR SSL M6.8EN User Manual If service address is domain name, click the Resolve Domain Name button on the Edit WAN Service page to enter the Resolve Domain Name page, and then enter the domain name and click the Resolve button to resolve the domain name.
Page 307: Configuring Access Right Of Local Users
SANGFOR SSL M6.8EN User Manual Configuring Access Right of Local Users The Access Right of Local Users page helps to conduct control over LAN users’ access to the Internet. It is one of the most common ways used on firewall device to allow/block LAN users’ access to the services provided over external networks.
Page 308 SANGFOR SSL M6.8EN User Manual 4. Click the Add button on the IP Range tab and enter the LAN IP addresses applicable to this rule, as shown below: 5. Click to enter the WAN Service tab and specify the WAN services for the LAN users configured in Step 4.
Page 309 SANGFOR SSL M6.8EN User Manual When a LAN user initiates a request for Internet access, the firewall will inspect the data packet based on the selected rules from top to bottom. The Default Action specifies the action that will to be taken if none of selected rules is matched.
Page 310 SANGFOR SSL M6.8EN User Manual 7. Click the Save buttons to save the settings.
Page 311: Real-Time Monitoring
SANGFOR SSL M6.8EN User Manual Real-time Monitoring Viewing Real-time Traffic The Traffic page shows the information of inbound and outbound traffic related to LAN users. Navigate to Firewall > Monitor > Traffic to enter the Traffic page, as shown below:...
Page 312: Configuring Anti-Dos
IP address to the gateway. When the number reaches the threshold specified, the Sangfor device will regard the requests as a DoS attack and lock the IP address for a certain period to protect itself.
Page 313 SANGFOR SSL M6.8EN User Manual skip checking for source IP address of packet, directly monitor/calculate the number of packets sent and finally determine whether to lock the IP address according to the number calculated and thresholds configured in the defense settings below.
Page 314: Configuring Qos Priority
QoS outbound rule enables administrator to set priority for specific data sent through the WAN interface(s) of the Sangfor device. You can set higher priority for data of critical business, so that they will be given more bandwidth and be transmitted earlier and faster. The default rule named Default service is a built-in rule, and only its priority level is editable.
Page 315: Configuring Qos Inbound
QoS inbound rule enables administrator to set priority for specific data received through the WAN interface(s) of the Sangfor device. You can set higher priority for data of critical business, so that they will be given more bandwidth and be transmitted earlier and faster.
Page 316 SANGFOR SSL M6.8EN User Manual To add a QoS inbound rule, please refer to the above section Configuring QoS Outbound Rule. The following figure shows the contents included on Add QoS Inbound Rule page.
Page 317: Chapter 6 System Maintenance
Update. Viewing Logs The Logs page displays running status information and error information of the Sangfor device. There are two types of logs: system logs and operation logs. The former displays the running information of each module of the current Sangfor device and the latter displays the information on operations performed by administrators.
Page 318: Viewing Operation Logs
SANGFOR SSL M6.8EN User Manual Viewing Operating Logs To view the operation logs, select Operation logs and a date, and the operation logs of the specified date will be displayed, as shown below: To filter the operation logs, click the Filter Options button to enter the following page, and then select the desired...
Page 319: Backing Up/Restoring Configurations
SANGFOR SSL M6.8EN User Manual Backing Up/Restoring Configurations Navigate to Maintenance>Backup/Restore to backup or restore the system configurations and SSL VPN configurations on the System Config and SSL VPN Config pages respectively, as shown below:...
Page 320 SANGFOR SSL M6.8EN User Manual The following are contents included on the System Config page:  Download Current Config File:To back up the current configurations, click this link to download and save the current configurations to the local computer. The configurations are saved as a .bcf file.
Page 321: Restarting/Shutting Down Device Or Services
SSL VPN service. Navigate to Maintenance > Restart/Shutdown to enter the Restart/Shutdown page, as shown below:  Shut Down Device: To stop all the running services, save current configurations and shut down the Sangfor device.  Restart Device: To shut down and restart the Sangfor device.
Page 322 SANGFOR SSL M6.8EN User Manual Navigate to Maintenance >Restart/Shutdown > About SSL VPNto enter theUpdate options page, as shown below:  Enable auto-update: Select this option to enable automatic update function, and specify the Interval. The device will check for updates and download them automatically at intervals of a specified period.
Page 323: Appendix A: End Users Accessingssl Vpn
SANGFOR SSL M6.8EN User Manual Appendix A: End Users Accessing SSL VPN This section introduces how end users configure browser and log in to SSL VPN. Required Environment  End user’s computer can connect to the Internet.  No security assistant software is installed on the computer, because this kind of software may influence the use of SSL VPN.
Page 324 SANGFOR SSL M6.8EN User Manual Click Advanced tab. Find the Security item and select the checkboxes next to Use SSL 2.0, Use SSL 3.0 and UseTLS 1.0, as shown in the figure below: Enter the SSL VPN address into the address bar of the browser and visit the login page to SSL VPN.
Page 325 SANGFOR SSL M6.8EN User Manual Click the View Certificate button to complete installing the root certificate if this is the first time you log in to SSL VPN administrator Web console. The information of the root certificate is as shown below:...
Page 326 SANGFOR SSL M6.8EN User Manual Select a directory to store the certificate and click the Nextbutton. After confirming the settings and clicking the Finish button, another warning pops up asking whether to install the certificate, as shown in the figure...
Page 327: Using Account To Log In To Ssl Vpn
SANGFOR SSL M6.8EN User Manual Using Account to Log In to SSL VPN If root certificate has been installed, user can visit the login page to the SSL VPN. The login page is as shown in the figure below: Enter and submit the required credentials through the login page. The following are the contents included on the login page: ...
Page 328 TCP and L3VPN components could be installed automatically if administrator has selected the option Install TCP and L3VPN components on user's logon on the Sangfor device, or installed by end user after end user clicks the Enable TCP Component and Enable L3VPN component buttons, as shown in the figure below: To log out of the SSL VPN, click Log Out at the upper right of the page.

Sangfor M5100 User Manual

Chapter 1 Knowingyour Sangfor Device

Chapter 2 Initiallogin to Admin Console

Chapter 3 System and Network Settings

Chapter 4 SSL VPN

Chapter 5 Firewall

Chapter 6 System Maintenance

Appendix A: End Users Accessingssl VPN

Appendix B: Sangfor Firmware Updater 6.0

Quick Links

Summary of Contents for Sangfor M5100